We use automatic updates to make sure we have the latest features and to fix any bugs or security vulnerabilities, but what if the automatic update feature itself was the vulnerability?
Automatic Updates are a vulnerability because they allow an external entity to modify their software to ANYTHING and send it to your computer. The only thing stopping that is trust and the entity’s cyber security.
Trust is something that is at the core of a brand, which means when you use a piece of software you trust that it will do only what is required. If the entity chose to betray that trust and modify the software to do something malicious then it is expected all users of the software will stop using the software as it has betrayed their trust. Therefore the assumption is to avoid this happening the entity will not modify the software to be malicious even though they could.
The Cyber security of any company, business, organisation (entity) is very important but even more if the entity provides software that has an automatic update. This is because with that automatic update if the entity is hacked, the hacker can compromise the auto update and then run their malicious code on all the users computers. This has happened in the past with SolarWinds and will happen again in the future.
Does this mean you shouldn’t use automatic updates?
With unlimited resources you would write all your own code so you could control every piece of software on your computer and never need to use automatic updates. However we do not live in that world of unlimited resources, so in our world of limited resources you need to accept some risk and use software from external entities. Fortunately this is good for the economy and the environment as we share the “wheel” rather than everyone creating their own “wheel”, and with the appropriate steps the risk with automatic updates can be reduced.
So making sure any automatic update software is from an entity with great Cyber Security and an entity that is trustworthy is important. This is essentially a supplier risk which needs to be managed. There are also other technical details and options to restrict software even if it is automatically updated.
If you need help understanding supplier risk and how it can be managed read our other relevant blogs and contact Vertex to talk to our Cyber Experts.